Posted
by
Soulskill
on Friday March 22, 2013 @05:25PM
from the security-is-now-officially-hip dept.

wiredmikey writes "In an effort to increase security for user accounts, Apple on Thursday introduced a two-step verification option for Apple IDs. As the 'epic hacking' of Wired journalist Mat Honan proved, an Apple ID often carries much more power than the ability to buy songs and apps through Apple's App store. An Apple ID can essentially be the keys to the Kingdom when it comes to Apple devices and user maintained data, and as Apple explains, is the key to many important things you do with Apple, such as purchasing from the iTunes and App Stores, keeping personal information up-to-date across your devices with iCloud, and locating, locking, or wiping your devices.' 'After you turn [Two-step verification] on, there will be no way for anyone to access and manage your account at My Apple ID other than by using your password, verification codes sent your trusted devices, or your Recovery Key, a support entry announcing the new service explained."

The person who finds it would still need to know your password.
You can have multiple trusted devices (I set up my phone and iPad). There is also a special "recovery key" that can be used to get in to reset the trusted devices.

You print out a recovery number when you set it up. To change your password you need 2 of 3 things: the current password, a trusted device, or a recovery number. You are supposed to print it out, and hide it somewhere safe.

So, in other words, if a compromised computer is used to set this up it is trivial for the hacker to lock the user out of his account and take it over while at the same time making sure that it is nontrivial for the user to get it back?

Yes. If the computer is compromised that you are setting this up on you can still be e-injured. However, at that point they had your password anyways via a keylogger. For everyone else, this is a great bonus to their security except for those who it is already too late. In other words, verify checkums of all files you get off of websites, use adblock plus + scriptsafe in chrome / comodo dragon or whatever browser you use (noscript/adblock for firefox for example), malwarebytes clean your pc, virus scan your

But what happens when the trusted device is the iPhone thats just gone missing?

You can have multiple trusted devices, and choose which one you want to use at any point in time. And you can remove devices from that list if they are lost or stolen (or, for that matter, if you just sell it).

This is interesting - went to set up two factor authentication; logged into the Apple site, then went to the passwords and security section, which asked for my two 'security questions' - which I never gave them. At this point, you can't get anywhere else. You're dumped to a KB article that is clearly incorrect and other than waiting online for an AppleDrone to tell me it's not really a problem (the usual Apple response to things), there is nothing else I can do.

Yeah, right, they just magically put in answers to your security questions for you.

Most likely you were prompted at some point to put them in, and being the clever but paranoid (and more than slightly annoyed at the time) geek that you are, you gave them bullshit responses (so that someone who knows you can't put in the info, like they are going to check which school you went to and who your childhood friend was, or whatever!). The only problem is that you didn't write them down and totally forgot about it.

(And for a point of interest, only some of the LG retina models have a ghosting which is generally only found in contrived testing scenarios and not in normal use. That's still bad, but nothing so bad as many people (who don't even own one) like to portray it as.)

If I didn't have to type my password all the freakin' time, I might generate an actually secure one. Granted, iOS has gotten somewhat better with the latest updates- at least it doesn't ask me for every app update anymore. But, still...

If I didn't have to type my password all the freakin' time, I might generate an actually secure one. Granted, iOS has gotten somewhat better with the latest updates- at least it doesn't ask me for every app update anymore. But, still...

Blame all the developers and users for that one then. Back in iOS 4 days, parents would download an app and then find their kids have spent thousands of dollars on smurfberries on their credit card bill, so parents demanded action. Apple went ahead and split the timer between

Indeed, the last time I can remember having to enter my Google password for my Android phone, was when I bought it. And that's why it's a randomly generated password of some length (and two-factor protected). My AppleID is.... not.

Apple could have solved this in so many ways that are more convenient. Like, god forbid, letting the user decide between several options. That way I could get one I would be happy with (a confirmation dialog to avoid accidental clicks), and parents could get one they are happy wit

Here is my thing. A secure password is needed to protect the user against a random attack, presumably coming from the interwebs. Except that security is hard and expensive, so there are always going to be attacks that are not password related. Social engineering, hacking a server, using the password reset mechanism. All these get passwords and the complexity is irrelevant. All that wasted personal effort to maintain good passwords with no benefit.

I said *I* don't want. I'm not trying to impose my choice upon others. I'd much prefer Apple added a configurable option to cater both for people that hand their gear to kids, or people they don't know, or habitually misplace hundreds of dollars worth of kit, as well as for people like me that do not.

I think the main problem is that if that's even an option, far too many people would turn it on (either knowingly or unknowingly), only to later find themselves running afoul of one of the many scenarios a password-free purchasing system would allow.

The part I don't quite get is, how often do you need to type your password? When you buy from the stores (and there's a timeout period during which you don't need to type it). This can't be all

To be honest, if my password is a 30 character one that takes me several minutes to pull up on my computer's password safe and type in using a phone's keyboard, it doesn't take very often for that password to be dumbed down to something more convenient.

The problem is that password is not protecting the phone, but the account, accessible from anywhere. Dumbing down the password is a bad solution. I'd be equally happy with a middle ground, like a PIN code to purchase as opposed to the full password. Which, in

When I count, I see the username and password as two factors. The factors, as I understand it, should be a combination of something you have (CAC, ATM card), know (username, password), and are (retina scan, fingerprint, voice pattern). Using that definition, username and password are two factors. It's quite possible to have a single factor, i.e. password only to log in on a device. A smart phone is a perfect example. You have your PIN, but no

Both username and password are something you know. Perhaps you can claim the username is something you have, but I'm pretty certain they mean physically with that. Also, I think it has to have two of the three things (ie. Something you know and something you have as opposed to two things you know). I may be wrong, but I think that's how it's measured...

You are correct, technically, but the real value of these kind of two-factor authentication techniques is that they are immune to replay attacks. Someone listening in to the Apple login process can't re-use the transmitted SMS code, because Apple expects to see a different code each time you log in.

"Multi-factor authentication (also Two-factor authentication, TFA, T-FA or 2FA) is an approach to authentication which requires the presentation of two or more of the three authentication factors: a knowledge factor ("something the user knows"), a possession factor ("something the user has"), and an inherence factor ("something the user is")." Wikipeda [wikipedia.org]

While a username and password are two "things," as you wrote yourself they are both things that you know so they only involve one authentication factor. So

For the most common 2-factor authentication in place today (e.g. if you enable for Gmail) the authenticating entity sends a code to your device in order to tie this to something that you have (your phone) and thereby introduce the possession factor.

I would say the most common 2-factor authentication is at the ATM, where you need to present your ATM card and enter your pin.

Yep, that's a good example of 2FA. Calling "username and password" two factors is foolish; your username isn't even an authentication credential at all in most cases (that is, it's typically at least semi-public information). It's an identifier, not a credential.

However, even if the username is treated as a second password, then you don't really have two passwords; you have one long password with a break in the middle. There's no meaningful difference between them at that point.

That's like saying when I log in to my mail account it's two factor, too, because I need something I know (my email credentials) and a computer to type it in (which is something I need to have). Sorry, but that doesn't constitute a two factor authorization yet.

The "something you have" must be sufficiently unique that duplication is nontrivial or (preferably) impossible. What may make it "something you have" is in this case the fact that there is only one phone with this phone number, not the fact that you g

Not really. There are two issues:1) Two factor authentication is generally (always?) accepted as being two factors of different types (ie, you cannot have two things you know, two things you are, or two things you have...the two things must be from different categories). This is more secure because it means the two factors must be attacked through completely different channels (if you had two passwords, the same attack to steal the first password could be used to steal the second password). It is analogous

Well, the confusion is understandable as "two factor" has been applied (wrongfully) to two very different and distinct security paradigms. First, the one you describe where the "factors" are having/knowing/being. The other one determines the "factor" by the paths information takes to negotiate between the two parties involved.

In this specific case, where "factor" is used somewhat incorrectly IMO, a more appropriate designation would be "multi-channel", one "factor" is the link through the computer, the othe

I tried to set mine up, and now Apple is saying I need to wait 3 days before the process can be completred. I'm in no hurry, but this feels kind of arbitrary, when other popular services (Google, Blizzard, et al) can set this form of authentication up instantly.

If you've reset your password or changed your security questions, they make you wait first. This prevents somebody from stealing your account, changing the password, and then turning on two-factor authentication preventing you from ever getting it back. As they also note in that article, if you use two-factor authentication, they become unable to reset your password. If you ever lose two of the three things needed to log in (your password, your verified device(s), and your recovery key), then you cannot make any changes to your account. (And if you lose all three, you can't even log in from an already-trusted device.)

Dissapointing. As someone with only one mobile device (i.e. the one I want to protect) this is not very useful. Would be a lot better with a security token similar to those used by banks. However I'll probably enable it anyway as in my particular case I'm more worried about someone I know getting into the account, which this DOES protect from even though it'll make me more vulnerable if my phone is stolen.

(Disclaimer: I only own an iPhone as I inherited it. I don't particually enjoy getting screwed by Apply

Since Apple refuses to allow merging of Apple IDs, I have multiple IDs: iCloud, iTunes and other. The way Apple implemented this, you have to use the Find My IPhone app or SMS. The Find My iPhone app is tied to iCloud so it can only be used with an iCloud account, making it useless for a separate iTunes account which is where my devices are registered. That leaves SMS, which also has issues since the same phone number can't be used for different accounts. Plus many people, myself included, don't pay for